usi sing dig g digit ital al for oren ensi sics cs to to
play

Usi sing Dig g Digit ital al For oren ensi sics cs to to Id - PowerPoint PPT Presentation

Nov 17, 2022 •351 likes •1.34k views

Usi sing Dig g Digit ital al For oren ensi sics cs to to Id Iden enti tify & I y & Inves esti tiga gate te Fr Frau aud Pr Present nter: Damon on Hack cker, MBA, , CCE, E, CISA SA Preside ident Vestige ige

  1. Usi sing Dig g Digit ital al For oren ensi sics cs to to Id Iden enti tify & I y & Inves esti tiga gate te Fr Frau aud Pr Present nter: Damon on Hack cker, MBA, , CCE, E, CISA SA Preside ident Vestige ige Digit igital I l Inv nves estiga igations tions

  2. Ves ● tige ( véŝ tĭj ) n. 1. A visible trace, evidence or sign of something that has once existed but now no longer exists or appears.

  3. Overview • Open Your Eyes • Real-World Scenarios • What Computer Forensics Can and Cannot Do • Forensic Techniques Overview/Primer • What You Need to Know • Q&A

  4. Xerox DocuColor 12 page, magnified 10x and photographed by the QX5 microscope under illumination from a Photon blue LED flashlight

  6. Scenarios • Real-World Examples • Vestige Involved • Some Information is in Public Domain, Most is Not. • Information Changed to Protect the identities of those involved. • May be a compilation of more than one case to make a specific point or further protect identities.

  7. Scenario 1 • The Scene: • Wrongful Termination lawsuit • Sending of “over -the- top” e -mails • Two places at once?

  10. So, , where do we turn?

  11. I.T.’s Findings Deposition ends: 11:15am in Detroit ------------------------ • Tracked IP Address How can this be?

  12. I.T.’s Findings • Ventura, California

  13. Kinko’s Kooperates • Registration/Login • Payment Method • Surveillence

  14. Results

  15. Scenario 2 • Tail-end of litigation • Plaintiff wins matter and is awarded attorneys fees • Disparate amounts spent between plaintiff & defendant • Defendant’s counsel believes Plaintiff’s counsel has “stuffed” time entry

  16. Scenario 2 • Review of Time & Billing Software • No apparent manipulation • Chronology looked appropriate • Defendant’s analysis concluded no manipulation.

  17. Scenario 2 • Vestige Analysis • Review of database, behind-the-scenes • Time & Billing software uses off-the-shelf back-end database, albeit not a common one • Vestige tools to review data at database level • Vestige created “parsing” utility to extract and review deleted records

  18. Scenario 2 • Analysis reviewed approximately 40% overbilling occurring • “Stuffing” time entries sequentially at end of case • Replacement entries that were 2x-10x the amount of the deleted entries they replaced • Adjustment and sanctions

  19. Scenario 3 • $30 Million shortage in commodities • $3 Billion company • 3000+ employees • 100s of thousands financial transactions • No initial persons of interest Hypothesis: Internal controls would require collusion to pull off fraud. Individuals ought to be communicating with one another.

  20. Scenario 3 1. Take backup tape from email system last year 2. Take backup tape from email system last month 3. Index every word and frequency per user 4. Import word Index, frequency per user, and frequency count into Excel 5. Using Excel calculate median frequency per user for each word 6. Identify words having frequency per user far greater than median • Led to determination of “do you want cheese with that?” in excess of 2000% greater than median frequency for 3 individuals

  21. Scenario 3 • Requests for financial statements accompanied by “Do you want cheese with that?” • Innocuous sounding word/phrase • Not in selection set for typical keyword search

  22. Scenario 4 • Stolen Laptops • Law Enforcement’s involvement • Stupidity at its finest

  23. Scenario 5 • Wage/Hour Class Action • Non-Exempt classified as Exempt • Timeframe stretches back 3-4 years

  24. By the Numbers Fraud Statistics

  25. Typical Fraud • Typical organization loses 5% of annual revenues to various frauds • $6.3 TRILLION issue worldwide • Median loss $150,000 • In 94.5% of cases in study, perpetrator took efforts to conceal the fraud! Source: 2016 Report to the Nations on Occupational Fraud and Abuse. The Association of Certified Fraud Examiners

  26. Detecting Fraud • Time to detection – median is 18 months • How Fraud was Detected: • Tip – 39.1% • Internal Audit – 16.5% • Management Review – 13.4% • By Accident – 5.6% • Account Reconciliation – 5.5% • External Audit – 3.8%

  27. Controls • Strong linkage between anti-fraud controls: • Significant decrease in cost • Decrease in duration of time-to-detection

  28. Perpetrator • 94.5% are first-time offenders • Clean employment history • No criminal background • 79% of cases, perpetrator exhibited “red flag” behavior • Living beyond means • Financial Difficulties • Unusually close association with vendors/clients • Excessive control issues/wheeler-dealer attitude • Recent divorce / family problems

  29. Why People Commit Fraud • The Psychology of Fraud Rationalization

  30. In Intersection of f Technology & Fraud • Opportunity • Majority of financial transactions are Technology-linked • Less tangible – belief its harder to get caught • Availability of software • Personal accounting software • Document alteration • Access to information • Research on techniques & cover-up

  31. What Dig igit ital Forensics Can and Cannot Do

  33. What you can expect • Content • Keyword search for content/communication • ALL correspondence • Hidden information • Deleted information • Orphaned information • Encrypted information

  34. • Correspondence • Memos • Emails • Instant messages • Faxes • Deleted • Old and forgotten

  35. • Business Records • Financial data • Assets • Calculations • PRIOR DRAFTS • DELETED DRAFTS • Projections • Everything you could imagine

  36. • Every Website visited • All pictures from those websites • Every Website from popups and popunders • All maps, from Mapquest for example

  37. Every INTERNET SEARCH & the Search Results

  38. What you can expect • Conceptual Analysis • How the computer was used • IM activity – dates/times, frequency, who • File Transfers • E-mails – activity • CD/DVD burning • Web-based E-mails • Attached hardware • Deletion activity • Other networks attached • Wiping activity • Remote Access activity • Software installed • Do we have the “Right” system?

  39. What you can expect • Condition of evidence • Used by others • Formatted • Re-partitioned • Damaged • Wiped/Cleansed/Sanitized

  40. What Digital Forensics Can’t Do • Find evidence that isn’t there • Never was on this evidence • May have been on this evidence but was overwritten • Wrong Interpretations • Artifact analysis • Example: Defragmenting • “Who was at the keyboard?” Some analysis will allow the answer to be inferred.

  41. Sample Case

  42. What You Need to Know

  43. Locard’s Exchange Pri rinciple “In forensic science, Locard’s principle holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it – both of which can be used as forensic evidence.”

  44. Sources vs Documents • Identify Appropriate “Key” Devices • Key-players • Expanded Key-players • Administrative Assistants • Other likely correspondents, etc. • Observing Devices • Monitors, surveillance • Pass-Thru Devices • Routers, firewalls, servers, monitoring systems • Passive Devices • i.e. conveyor

  45. Evidence Vola latility Registers, Cache • Rate at which evidence disappears Memory, Routing Tables, Process Tables Temporary Files Disk & Other “permanent” storage Logging & Monitoring Data Archives

  46. Potential Sources  ISP  Honeypot  Router  Virtual Machines  Firewall  Cloud Service  IDS/IPS  General Network Sniffers  Managed Switches  Backup tapes/disks  Servers  Replication sites  Workstations  Disaster Recovery sites  Other monitoring devices  Digital Scale & other Measuring Devices (alarm system)  RFID Data  Log files  “Black Boxes”  GPS  Video Surveillance  Cell Tower Data  Payment or other Registration Info  Syslog

  47. Methodology

  48. Acquisition Authentication Analysis Presentation

  49. Acquisition • First & Foremost: Evidence Preservation • Admissibility in Court • Protection of All Parties Involved… even the investigator • Avoid Contamination/Spoliation of Evidence

  50. Acquisition • Completeness • “The Whole Truth” • Used & Unused (Unallocated) Space • Active & Inactive Systems • Seemingly “Inaccessible” Systems & Media

  51. Acquisition • Methodology • Forensically-sound Bit-for-Bit Clone • Copy, clone, mirror • Write-protect • Place on Sterile Media • MD5 or other authentication hash • Chain of Custody • Seal Evidence

  52. Authentication • Authenticate: • Prove “no change” • Prove Clones ARE the Same • Method • MD5 Hash (digital fingerprint) • Industry-standard, industry-recognized • 128-bit • 1 in 1x10 38 chance for deceiving • 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000 • DNA Evidence is 1 in 1,000,000,000

  53. Authenticate • Our Methodology • MD5 Hash – Digital Fingerprint MD5 702865f9ebd7478fbab050ed6b4612f0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Boo ook Acq cquis isitio ion in n the the (ne (new) era er a of of dig digit ital l

Boo ook Acq cquis isitio ion in n the the (ne (new) era er a of of dig digit ital l

Boo ook Acq cquis isitio ion in n the the (ne (new) era er a of of dig digit ital l ed educatio ion (Edit/crop photo to align within this space) 3 June 2020 Zoe Loveland, Sr Director Regional Marketing EMEAI Cherry Otto, Market

520 views • 35 slides
Th The e Se Secr cret of of Digital Transformation Ho How w to Dig Digit ital ally

Th The e Se Secr cret of of Digital Transformation Ho How w to Dig Digit ital ally

Th The e Se Secr cret of of Digital Transformation Ho How w to Dig Digit ital ally ly Tra rans nsform orm Your ur Or Orga ganiz nizat ation ion June 16, 2016 A St Story y Abou out t Di Disn sney Poli licing cing

887 views • 36 slides
What is NEMOG? New Economic nomic Models ls & O Opportuniti ortunities es for digit ital

What is NEMOG? New Economic nomic Models ls & O Opportuniti ortunities es for digit ital

What is NEMOG? New Economic nomic Models ls & O Opportuniti ortunities es for digit ital al Games es Pet eter er Feng eng Kiran n Ignazio azio Daniel iel Cowli wling ng Li Li Fernan ernandes des Cabra ras Kuden

407 views • 18 slides
Dig Digit ital al So Solu lutions ions for or Africa Af ican A n Agr gricu icultu

Dig Digit ital al So Solu lutions ions for or Africa Af ican A n Agr gricu icultu

Dig Digit ital al So Solu lutions ions for or Africa Af ican A n Agr gricu icultu lture re Ms. Atsuko TODA, Director, Agriculture Finance & Rural Development Ms. Olukemi AFUN-OGIDAN, Principal Agribusiness Officer I. I. In

429 views • 41 slides
Map of th the In Inte terio ior Wo World Di Digit ital l Coll llage ge 2008

Map of th the In Inte terio ior Wo World Di Digit ital l Coll llage ge 2008

Ed Eduardo rdo Recife ife, , Map of th the In Inte terio ior Wo World Di Digit ital l Coll llage ge 2008 Presentation By Nan Quinlan 2011 Kyoto Font Recife states that Typography for me is so strong because its a

197 views • 6 slides
Q1 2019 Financial Results and Strategy Update SET Digit ital al Roadshow show 5 June ne 2019

Q1 2019 Financial Results and Strategy Update SET Digit ital al Roadshow show 5 June ne 2019

Q1 2019 Financial Results and Strategy Update SET Digit ital al Roadshow show 5 June ne 2019 2019 Ke Key y Hi Highlights lights Industry dustry Tre rends ds St Stra rategy tegy an and Gr Grow owth th Finan Fi anci cial

610 views • 43 slides
The e Digit ital l Ar Archiv ive George Soules Southwest Harbor Public Library October 4,

The e Digit ital l Ar Archiv ive George Soules Southwest Harbor Public Library October 4,

The e Digit ital l Ar Archiv ive George Soules Southwest Harbor Public Library October 4, 2019 Maine Archives & Museums Annual Conference University of Maine Hutchinson Center, Belfast Maine George Soules: Volunteer archivist who

834 views • 60 slides
Register Allocaon and Instrucon Scheduling in Unison Roberto Castaeda Lozano SICS, KTH

Register Allocaon and Instrucon Scheduling in Unison Roberto Castaeda Lozano SICS, KTH

Register Allocaon and Instrucon Scheduling in Unison Roberto Castaeda Lozano SICS, KTH joint work with: G. Hjort Blindell KTH, SICS M. Carlsson SICS F. Drejhammar SICS C. Schulte KTH, SICS This research has been

891 views • 54 slides
My y Dig igit ital al Sib iblin ling Andy Fawkes DRAFT as of 6-Jan-20 Ove vervi view ew

My y Dig igit ital al Sib iblin ling Andy Fawkes DRAFT as of 6-Jan-20 Ove vervi view ew

IT 2 EC London 28 April 2020 My y Dig igit ital al Sib iblin ling Andy Fawkes DRAFT as of 6-Jan-20 Ove vervi view ew Digital Twins Fidelity Capability Life Cycle Digital Sibling Di Digit gital al Tw Twins

781 views • 29 slides
Formal Methods Research at SICS and KTH - An Overview - Mads Dam SICS and KTH/IMIT FMICS'03

Formal Methods Research at SICS and KTH - An Overview - Mads Dam SICS and KTH/IMIT FMICS'03

FORMAL DESIGN TECHNIQUES Formal Methods Research at SICS and KTH - An Overview - Mads Dam SICS and KTH/IMIT FMICS'03 Rros,Norway, June 2003 1 FORMAL DESIGN TECHNIQUES Executive Summary Group of researchers from SICS and IMIT, KTH

401 views • 9 slides
Introduc Introduc Intr troduction to oducti tion t tion to Digi n to Di Digit gital I

Introduc Introduc Intr troduction to oducti tion t tion to Digi n to Di Digit gital I

E E LE LE 882 882 Introduc Introduc Intr troduction to oducti tion t tion to Digi n to Di Digit gital I ital Im tal Image P l Image age Pr e Proc Process ocessin ocessing essing ing Course Instructor: Prof. L ing Gua n

358 views • 22 slides
Re ta il 2.0 Pre se nte d By: Glo b a l Purc ha sing Co mpa nie s www.g lo b a lpurc ha sing g

Re ta il 2.0 Pre se nte d By: Glo b a l Purc ha sing Co mpa nie s www.g lo b a lpurc ha sing g

Re ta il 2.0 Pre se nte d By: Glo b a l Purc ha sing Co mpa nie s www.g lo b a lpurc ha sing g ro up.c o m www.globalpurchasinggroup.com Top 5 Rules before you go into the retail business 1.You are not opening this store/boutique for your

691 views • 35 slides
Is Democracy Possible? Nir Oren n.oren @abdn.ac.uk University of Aberdeen March 30, 2012 Nir

Is Democracy Possible? Nir Oren n.oren @abdn.ac.uk University of Aberdeen March 30, 2012 Nir

Is Democracy Possible? Nir Oren n.oren @abdn.ac.uk University of Aberdeen March 30, 2012 Nir Oren (Univ. Aberdeen) Democracy March 30, 2012 1 / 30 What are we talking about? A system of government by the whole population or all the

809 views • 47 slides
System Architecture with NoSQL and RavenDB Oren Eini oren@ravendb.net Hibernating Rhinos

System Architecture with NoSQL and RavenDB Oren Eini oren@ravendb.net Hibernating Rhinos

System Architecture with NoSQL and RavenDB Oren Eini oren@ravendb.net Hibernating Rhinos Meet Edgar F. Codd 5 MB drive, 1956 10 MB drive, 1981 5 TB hard disk, 2016 In time Average salary: 75,000 R$ 5MB HD = 78.3 man years 5

409 views • 19 slides
Statistical Natural Language Processing Sing DET NOUN PUNCT Def Sing 3s,Pres Sing,Dem case

Statistical Natural Language Processing Sing DET NOUN PUNCT Def Sing 3s,Pres Sing,Dem case

Statistical Natural Language Processing Sing DET NOUN PUNCT Def Sing 3s,Pres Sing,Dem case PROPN det obl root det nsubj punct . ltekin, VERB DET Summer Semester 2018 Next . ltekin, SfS / University of Tbingen

442 views • 4 slides
Dialogue Managing the Unexpected Managing the Unexpected the Role of the Regulatory Body

Dialogue Managing the Unexpected Managing the Unexpected the Role of the Regulatory Body

Swiss Federal Nuclear Safety Inspectorate ENSI Dialogue Managing the Unexpected Managing the Unexpected the Role of the Regulatory Body Cornelia Ryser, ENSI, Switzerland IAEA Technical Meeting Vienna, 25 29 June 2012 Assumptions

543 views • 4 slides
Quick guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Quick guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Quick guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3: Installing RSBlog! Step 4: Import plugins (optional) 4.1 Download the import plugins 4.2 Install the plugins 4.3 Import Joomla! articles 4.4 Import K2

794 views • 20 slides
Community Foundation Friday, Mar 21, 2019 8:30 am - 9:30 am careersincode.org Follow along at

Community Foundation Friday, Mar 21, 2019 8:30 am - 9:30 am careersincode.org Follow along at

Community Foundation Friday, Mar 21, 2019 8:30 am - 9:30 am careersincode.org Follow along at careersincode.org/nonprofit rundown. - Our mission - Program rundown - Students, instructors, and partners - Measuring success - Curriculum

259 views • 24 slides
The Shak he Shaker er Heights Heights Building Car Building Card d Da Data tabase base A

The Shak he Shaker er Heights Heights Building Car Building Card d Da Data tabase base A

Society of Ohio Archivists spring meeting May 18, 2012 Ohio Historical Records Advisory Board Regrants Program panel The Shak he Shaker er Heights Heights Building Car Building Card d Da Data tabase base A Collaboration of the Shaker

169 views • 14 slides
FY 2018 Budget Work Session Communications Department April 18, 2017 Purpose To provide the

FY 2018 Budget Work Session Communications Department April 18, 2017 Purpose To provide the

FY 2018 Budget Work Session Communications Department April 18, 2017 Purpose To provide the Board of County Commissioners with an update on the Communications Departments activities and proposed FY 2018 Budget. Presentation Outline

385 views • 36 slides
SharePoint 2010 Intranet Case Study Presented by Peter Carson President, Envision IT Peter

SharePoint 2010 Intranet Case Study Presented by Peter Carson President, Envision IT Peter

SharePoint 2010 Intranet Case Study Presented by Peter Carson President, Envision IT Peter Carson President, Envision IT Virtual Technical Specialist, Microsoft Canada Computer Engineering, UW peter@envisionit.com

452 views • 27 slides
Present A Professional Web Developer for Life & General Insurance Professionals VJ Infosoft

Present A Professional Web Developer for Life & General Insurance Professionals VJ Infosoft

VJ Infosoft Pvt. Ltd. Present A Professional Web Developer for Life & General Insurance Professionals VJ Infosoft Pvt Ltd. - Profile We are located in a city, Rajkot in a state of Gujarat, and servicing our products since 2009.

984 views • 22 slides
Chapter 11 : Informatics Practices Interface python Class XII ( As per with SQL CBSE Board)

Chapter 11 : Informatics Practices Interface python Class XII ( As per with SQL CBSE Board)

Chapter 11 : Informatics Practices Interface python Class XII ( As per with SQL CBSE Board) Database And SQL commands New Syllabus 2019-20 Visit : python.mykvs.in for regular updates Interface python with SQL Database A database is

270 views • 22 slides
How Robotic Process Automation and Artificial Intelligence Will Change Outsourcing September 27,

How Robotic Process Automation and Artificial Intelligence Will Change Outsourcing September 27,

How Robotic Process Automation and Artificial Intelligence Will Change Outsourcing September 27, 2017 Brad Peterson Rohith George Partner Partner +1 312 701 8568 +1 650 331 2014 bpeterson@mayerbrown.com rgeorge@mayerbrown.com Speakers

468 views • 23 slides

More recommend